Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
IcedID first emerged in 2017 as a capable, widely observed banking trojan. Beginning in 2020, IcedID was identified as a precursor to ransomware attacks such as Egregor, Maze and Conti
and has historically utilized email as its delivery vector.
In December 2022, TRU began observing IcedID infections that were traced to payloads downloaded by users from the Internet. This observation coincided with a general uptick in successful IcedID infections in Q4 of 2022, which saw 35% percent of IcedID incidents for the period between January 2022 and January 2023 (Figure 1).
Figure 1 Disrupted IcedID infections between January 2022 and January 2023
The activity in Q4 2022 was a mixture of email and drive-by infections. However, since mid-late December 2022, observed IcedID infections have originated exclusively via drive-by attacks, specifically Google Search Ads targeting common applications.
Google Search Ad Abuse
Malicious Google Search Ads are nothing new, but TRU has
observed an increase in their use to deliver information stealing malware and
IcedID in 2022 and 2023. For IcedID specifically, TRU has observed malicious
ads targeting applications such as Slack, Docker, TeamViewer, Microsoft Teams,
Basecamp and Adobe Reader (among others), as seen in Figure 2.
Figure 2 Google Search Ad masquerading as chat software Slack.
Search ads
utilize the auction-based Pay-Per-Click (PPC) model. Advertisers can enter
a maximum bid for certain search keywords to display their ad so long as their
bid is more than another advertiser’s bid. Additionally, Ads Keyword Planner, a
free tool, provides an estimate for top of page
bids where an advertiser can ensure their ad is shown at the top of the
search results for specific keywords (usually at a premium).
For example, as of January 2023, one would need to place a
maximum bid of $4.30 per click to have an ad displayed at the top of a search
for “slack download”. Therefore, a top of page ad bid for 1000 clicks could
cost between $1330 and $4300 USD. This cost is unlikely to be a significant
barrier to threat actors who are likely using stolen payment data.
Keyword
Currency
Avg. monthly searches
3-month change
YoY change
Competition
Competition (indexed value)
Top of page bid (low range)
Top of page bid (high range)
slack download
USD
135,000
-33%
0%
Low
3
1.33
4.3
Keyword
slack download
Currency
USD
Avg. monthly searches
135,000
3-month change
-33%
YoY change
0%
Competition
Low
Competition (indexed value)
3
Top of page bid (low range)
1.33
Top of page bid (high range)
4.3
Abusing search ads also provides some degree of curation in terms of ideal targets. This is reflected by both the keywords targeted (primarily software used in corporate environments) and audience segments, which includes detailed demographics, interests, intents and other attributes estimated by Google (Figure 3).
Figure 3 Audience configuration options in Google Ads.
Google does use a review process for new ads to ensure compliance with their ad policy, including malicious software. It’s not immediately clear how threat actors are circumventing these compliance checks.
Cloaking is a common tactic used to hide malicious content from all but the intended victim. An example of traffic redirection can be seen in Figure 2 above, where slackapp[.]tech is the ad link, but the final content is hosted on wvwslack[.]top. Another example can be seen in Figures 4 and 5 below, where a download page impersonating Docker leads to the legitimate Docker binary. However, in a subsequent review, the page leads to an IcedID payload host on Google FireBase storage.
Figure 4 A malicious webpage masquerading as Docker’s download page. In this instance, it served the legitimate docker installation file.Figure 5 The website from Figure 4 on subsequent visit delivering IcedID payload via Google Firebase.
IcedID to Cobalt Strike Handoff
In mid-January 2023, a customer endpoint became infected with IcedID originating from a website masquerading as Adobe Reader. The victim arrived on the website (vwv-adobe[.]top) from clicking a Google Search Ad for Adobe software (Figure 6).
Figure 6 IcedID download page masquerading as Adobe Reader. The payload was hosted on Google's Firebase service.
The setup file (6718a804f5d5064fa3b918d844fd727d) is padded to inflate its size to over 700MB to inhibit automated inspection. When executed, IcedID executes an initial round of reconnaissance commands and initiates a check-in with the C2 (qsertopinajil[.]com), as seen in Figure 7.
Figure 7 Endpoint telemetry showing IcedID's initial execution process behavior.
The living-off-the-land reconnaissance commands used are not indifferent than what TRU has observed with malware whose objective is delivering footholds to hands-on-keyboard adversaries. The output from these commands provides a quick summary of the foothold’s worth and is likely used to triage and prioritize the most valuable footholds.
WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
ipconfig /all
systeminfo
net config workstation
nltest /domain_trusts
nltest /domain_trusts /all_trusts
net view /all /domain
net view /all
net group "Domain Admins" /domain
Within 30 minutes, IcedID attempted to execute a PowerShell script (ozye.txt) using fodhelper.exe to bypass UAC but was blocked from doing so.
Our team of 24/7 SOC
Cyber Analysts retrieved the PowerShell script from the system and
determined it contained a Cobalt Strike Beacon loader
(f36c8d12db66730f3cf94d28331b90ac) configured to spawn and inject into a child
PowerShell process. The beacon was configured to communicate with poasnm[.]com
using HTTP and spawn using regsvr32.exe.
Our SOC identified suspicious reconnaissance activity on a
customer endpoint and immediately notified the customer while an investigation
took place. The case was escalated when the blocked Cobalt Strike activity
occurred and the system was immediately contained.
What can you learn from this TRU positive?
Drive-by cyberattacks are on the rise. These cyberattacks rely on social engineering techniques over software exploits.
IcedID is unlikely to be the last email-borne threat to shift delivery methods and tactics. As email defenses improve, you should expect drive-by attacks to become more abundant.
Broad targeting of targets that are ideal for fraud and/or extortion attacks is made possible by abusing marketing tools available in ad platforms.
IcedID is no longer exclusively a banking trojan. Like other former bankers (e.g., Qakbot), an IcedID foothold can be weaponized for initial access into the network.
In the case mentioned above, an attempt was made to weaponize the foothold within 30 minutes.
Recommendations from our Threat Response Unit (TRU):
General Guidance for Users:
Prioritize application installs from your organization’s library of approved applications (if implemented).
Treat files downloaded from the Internet with the same vigilance as those delivered through email. Assume files are potentially hostile regardless of the path that got you there. Remember, a website hosting software advertised on a trusted search engine does not inherit that trust.
Verify the source of the file:
Examine the URL – does it match the expected website for the application? Look for typos or other odd characters (wvw-slack[.]com vs slack.com).
When in doubt, browse to the company’s website and locate their downloads page.
Examine the file:
Legitimate software downloads are unlikely to be password-protected.
Examine the file extension. Files ending with .iso, .vbs, .lnk or .js are all unlikely to be legitimate.
Guidance for IT:
Ensure employees have access to a dedicated software center to download corporate-approved software.
Raise awareness of malware masquerading as legitimate applications, and include relevant examples within your Phishing and Security Awareness Training (PSAT) program to educate your employees on how to protect themselves against similar cyber threats.
Audit your environment regularly to ensure all endpoints are patched with the latest vendor security updates.
Protect endpoints against malware by:
Ensuring antivirus signatures are up-to-date.
Using a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) tool to detect and contain threats.
Indicators of Compromise
Indicator
Note
www-goto-com[.]top
IcedID Download Page
www-onenote-us[.]top
www-fortinet-com[.]top
www-irsform-com[.]top
www-discord-us[.]top
ww-citrixcom[.]top
wvw-basecamp-us[.]com
wvw-docker-us[.]com
wvw-microsofteams[.]top
wvw-mlcrosofteams[.]top
vwv-adobe[.]top
mlcrosofteams[.]top
www-docker[.]top
www-teamviewer[.]top
wvw-slack-us[.]com
wvwslack[.]top
wvw-teanviwer-us[.]com
wvw-webex-us[.]com
eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
